Pages

Create configuration Item for Software Update installation

Create configuration Item to resolve past due will be expired,Waiting for install and pending verification software update deployment issues.
Open SCCM console → Asset and compliance → Compliance settings→ right click on Configuration items and Create New configuration Item.
Capture1
Click Next and add supported platforms as per your requirements.
Capture2
Click Next → on settings page click on new to define a new setting.
Capture3
Capture4
Now Add Discovery script and remediation script.
Discovery script will provide return code 1 if there is any pending updates.
Remediation script will remediate if Discovery script returns 1.
Discovery Script:-
$wmicheck=$null
$wmicheck =Get-WmiObject -namespace root\cimv2 -Class Win32_BIOS -ErrorAction SilentlyContinue
if ($wmicheck)
{
# Get list of all instances of CCM_SoftwareUpdate from root\CCM\ClientSDK for missing updates
$TargetedUpdates= Get-WmiObject -Namespace root\CCM\ClientSDK -Class CCM_SoftwareUpdate -Filter ComplianceState=0
$approvedUpdates= ($TargetedUpdates |Measure-Object).count
$pendingpatches=($TargetedUpdates |Where-Object {$TargetedUpdates.EvaluationState -ne 8} |Measure-Object).count
$rebootpending=($TargetedUpdates |Where-Object {$TargetedUpdates.EvaluationState -eq 8} |Measure-Object).count
if ($pendingpatches -gt 0)
{
Return(1)
}
else {Return(0) }
}
Remediation Script:-
#Resolve past due expired and pending verification issue for software update deployment.#Resolve past due expired and pending verification issue for software update deployment.
$wmicheck=$null$wmicheck =Get-WmiObject  -namespace root\cimv2 -Class Win32_BIOS -ErrorAction SilentlyContinueNew-EventLog -LogName Application -Source SyncStateScript -ErrorAction SilentlyContinueif ($wmicheck){# Get list of all instances of CCM_SoftwareUpdate from root\CCM\ClientSDK for missing updates $TargetedUpdates= Get-WmiObject  -Namespace root\CCM\ClientSDK -Class CCM_SoftwareUpdate -Filter ComplianceState=0$approvedUpdates= ($TargetedUpdates |Measure-Object).count$pendingpatches=($TargetedUpdates |Where-Object {$TargetedUpdates.EvaluationState -ne 8} |Measure-Object).count$rebootpending=($TargetedUpdates |Where-Object {$TargetedUpdates.EvaluationState -eq 8} |Measure-Object).countif ($pendingpatches -gt 0) {  try { $MissingUpdatesReformatted = @($TargetedUpdates | ForEach-Object {if($_.ComplianceState -eq 0){[WMI]$_.__PATH}})  # The following is the invoke of the CCM_SoftwareUpdatesManager.InstallUpdates with our found updates  $InstallReturn = Invoke-WmiMethod  -Class CCM_SoftwareUpdatesManager -Name InstallUpdates -ArgumentList (,$MissingUpdatesReformatted) -Namespace root\ccm\clientsdk     Write-EventLog -LogName Application -Source SyncStateScript -EventId 666 -EntryType Information -Message “Targeted Patches :$approvedUpdates,Pending patches:$pendingpatches,Reboot Pending patches :$rebootpending,initiated $pendingpatches patches for install”  } catch {Write-EventLog -LogName Application -Source SyncStateScript -EventId 667 -EntryType Information -Message “pending patches – $pendingpatches but unable to install them ,please check Further”  }}else {Write-EventLog -LogName Application -Source SyncStateScript -EventId 668 -EntryType Information -Message “Targeted Patches :$approvedUpdates,Pending patches:$pendingpatches,Reboot Pending patches :$rebootpending,Compliant”  }}
First add Discovery script as shown below.
Capture5
Click on Compliance rules and define new rule to fetch return code of the discovery script and remediate through remediation script according to the return code defined in the compliance rule.
Capture2


Add remediation script.
Capture8
Capture9
Click Ok and Then Next to finish the wizard.
Now Create a Confguration baseline and add the already created configuration item to it.
Capture9
Capture10
Capture11
Now click ok and complete baseline creation.
Right click on created baseline and select deploy.
Capture13
Capture15
It has been tested and working fine in my current organisation. If you have any doubt or need help then please comment.
If you don’t want to follow this process then there is an another method to achieve the compliance is to  deploying directly the attached remediation script to the affected machines.
Thanks for reading.

No comments:

Post a Comment